Using the UAA Command Line Interface (UAAC), an administrator can create users in the User Account and Authentication (UAA) server.

Note: The UAAC only creates users in UAA, and does not assign roles in the Cloud Controller database (CCDB). In general, administrators create users using the Cloud Foundry Command Line Interface (cf CLI). The cf CLI both creates user records in the UAA and associates them with org and space roles in the CCDB. Before administrators can assign roles to the user, the user must log in through Apps Manager or the cf CLI for the user record to populate the CCDB. Review the Creating and Managing Users with the cf CLI topic for more information.

For additional details and information, refer to the following topics:

Run uaac token client get admin -s ADMIN-CLIENT-SECRET to authenticate and obtain an access token for the admin client from the UAA server. Replace
ADMIN-CLIENT-SECRET with the admin secret you have retrieved in previous step. UAAC stores the token in
~/.uaac.yml.

$ uaac token client get admin -s MyAdminSecret

Use the uaac contexts command to display the users and applications authorized by the UAA server, and the permissions granted to each user and application.

In the output from uaac contexts, search in the scope section of the
client_id: admin user for scim.write.
The value scim.write represents sufficient permissions to create accounts.

If the admin user lacks permissions to create accounts, add the permissions by following these steps:

Run uaac client update admin --authorities "EXISTING-PERMISSIONS
scim.write" to add the necessary permissions to the admin user account on
the UAA server. Replace EXISTING-PERMISSIONS with the current contents of
the scope section from uaac contexts.

Run uaac token delete to delete the local token.

Run uaac token client get admin to obtain an updated access token from
the UAA server.

Create an Admin Read-Only User

The admin read-only account can view but not modify almost all Cloud Controller API resources. The admin read-only account cannot view process stats or logs.

If you want to create an admin read-only user account, then perform the following steps:

Obtain the credentials of an admin client created using UAAC as above, or
refer to the uaa: scim section of your deployment manifest for the user
name and password of an admin user.

Run uaac token client get admin -s ADMIN-CLIENT-SECRET to authenticate and obtain an access token for the admin client from the UAA server. Replace
ADMIN-CLIENT-SECRET with your admin secret.
UAAC stores the token in ~/.uaac.yml.

Create a Global Auditor

The global auditor account has read-only access to almost all Cloud Controller API resources but cannot access secret data such as environment variables.
The global auditor account cannot view process stats or logs.

Perform the following steps to create a global auditor account.

Obtain the credentials of an admin client created using UAAC as above, or
refer to the uaa: scim section of your deployment manifest for the user
name and password of an admin user.

Run uaac token client get admin -s ADMIN-CLIENT-SECRET to authenticate
and obtain an access token for the admin client from the UAA server. Replace
ADMIN-CLIENT-SECRET with your admin secret.
UAAC stores the token in ~/.uaac.yml.

Run uaac member add GROUP NEW-USERNAME to add the
new global auditor account to the cloud_controller.global_auditor group.

$ uaac member add cloud_controller.global_auditor Alice

Grant Admin Permissions to an External Group (SAML or LDAP)

To grant all users under an external group admin permissions, do the following:

Obtain the credentials of an admin client created using UAAC as above, or
refer to the uaa: scim section of your deployment manifest for the user
name and password of an admin user.

Run uaac token client get admin -s ADMIN-CLIENT-SECRET to authenticate and obtain an access token for the admin client from the UAA server. Replace
ADMIN-CLIENT-SECRET with your admin secret.
UAAC stores the token in ~/.uaac.yml.

Note: The UAA will not grant scopes for users in external groups until the next time the user logs in. This means that users granted scopes from external group mappings must log out from PCF and log back in before their new scope takes effect.

Grant Admin Permissions for LDAP

Run the commands below to grant all users under the mapped LDAP Group admin permissions. Replace GROUP-DISTINGUISHED-NAME with an appropriate group name.

Grant Admin Permissions for SAML

Retrieve the name of your SAML provider by navigating to the PAS tile on the Ops Manager Installation Dashboard, clicking Authentication and Enterprise SSO, and recording the value under Provider Name. For more information about configuring PCF for a SAML identity provider, see the Configuring Authentication and Enterprise SSO for PAS topic.

Run the commands below to grant all users under the mapped SAML group admin permissions. Replace GROUP-NAME with the group name, and SAML-PROVIDER-NAME with the name of your SAML provider.

Create Users

Obtain the credentials of an admin client created using UAAC as above, or
refer to the uaa: scim section of your deployment manifest for the user
name and password of an admin user.

Run cf login -u NEW-ADMIN-USERNAME -p NEW-ADMIN-PASSWORD to log in.

$ cf login -u Adam -p newAdminSecretPassword

Run cf create-user NEW-USER-NAME NEW-USER-PASSWORD to create a new
user.

$ cf create-user Charlie aNewPassword

Change Passwords

Obtain the credentials of an admin client created using UAAC as above, or
refer to the uaa: scim section of your deployment manifest for the user
name and password of an admin user.

Run uaac token client get admin -s ADMIN-CLIENT-SECRET to authenticate and obtain an access token for the admin client from the UAA server. Replace
ADMIN-CLIENT-SECRET with your admin secret.
UAAC stores the token in ~/.uaac.yml.

$ uaac token client get admin -s MyAdminSecret

Run uaac contexts to display the users and applications authorized by the
UAA server, and the permissions granted to each user and application.

In the output from uaac contexts, search in the scope section of the
client_id: admin user for password.write.
The value password.write represents sufficient permissions to change
passwords.

If the admin user lacks permissions to change passwords, add the permissions by following these steps:

Run uaac client update admin --scope "EXISTING-PERMISSIONS
password.write" to add the necessary permissions to the admin user account
on the UAA server. Replace EXISTING-PERMISSIONS with the current contents of
the scope section from uaac contexts.

Run uaac token delete to delete the local token.

Run uaac token client get admin to obtain an updated access token from
the UAA server.

Run uaac password set USER-NAME -p TEMP-PASSWORD to change an
existing user password to a temporary password.

$ uaac password set Charlie -p ThisIsATempPassword

Provide the TEMP-PASSWORD to the user.
Have the user use cf target api.YOUR-DOMAIN, cf login -u USER-NAME -p TEMP-PASSWORD, and cf passwd to change the temporary password. See the Configuring UAA Password Policy topic to configure the password policy.

Retrieve User Email Addresses

Some Cloud Foundry components, like Cloud Controller, only use GUIDs for user
identification.
You can use the UAA to retrieve the emails of your Cloud Foundry instance users
either as a list or, for a specific user, with that user’s GUID.

Follow the steps below to retrieve user email addresses:

Run uaac target uaa.YOUR-DOMAIN to target your UAA server.

$ uaac target uaa.example.com

Record the uaa:admin:client_secret from your deployment manifest.

Run uaac token client get admin -s ADMIN-CLIENT-SECRET to authenticate and obtain an access token for the admin client from the UAA server. Replace
ADMIN-CLIENT-SECRET with your admin secret. UAAC stores the token in ~/.uaac.yml.

$ uaac token client get admin -s MyAdminSecret

Run uaac contexts to display the users and applications authorized by the
UAA server, and the permissions granted to each user and application.

In the output from uaac contexts, search in the scope section of the
client_id: admin user for scim.read.
The value scim.read represents sufficient permissions to query the UAA
server for user information.

If the admin user lacks permissions to query the UAA server for user
information, add the permissions by following these steps:

Run uaac client update admin --authorities "EXISTING-PERMISSIONS
scim.write" to add the necessary permissions to the admin user account on
the UAA server. Replace EXISTING-PERMISSIONS with the current contents of
the scope section from uaac contexts.

Run uaac token delete to delete the local token.

Run uaac token client get admin to obtain an updated access token from
the UAA server.